Hi Rob, Thanks for all the observations and i will keep those things in mind. The issue was with the wrong password. Once I updated the password everything worked ! Regards
On Mon, Jul 20, 2020 at 7:28 PM Rob Crittenden <[email protected]> wrote: > Dwija D via FreeIPA-users wrote: > > Hi I am trying to search ldap user using the following command but with > > invalid credentials error: # ldapsearch -x -h ldap://ipm.example.net > > <http://ldaps//idm.example.net>-p 389 -b "*dc=example,dc=net*" -D > > "*uid=ldapbind,cn=users,cn=account,dc=example,dc=net*" uid=ambariadmin1 > > -W Enter LDAP Password: *ldap_bind: Invalid credentials (49)* I have > > double checked the password but the error still persists. Before that, i > > have added a ldap bind user with the following procedure *[root@example > > ~]# cat ldapbind.ldif* dn: > > uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net changetype: add > > objectclass: account objectclass: simplesecurityobject uid: ambaribind > > userPassword: secret123 passwordExpirationTime: 20380119031407Z > > nsIdleTimeout: 0 > > I would discourage you from adding bind-only users to cn=users. We > recommend putting into cn=sysaccounts. This isn't a posix user and the > IPA tools shouldn't be used to manage it. > > *[root@example ~]# ldapmodify -h **example.net* > > <http://example.net/>*-p 389 -x -D "cn=Directory Manager" -w 'secret123' > > -f ldapbind.ldif* adding new entry > > "uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net" *[root@example ~]# > > ipa user-show ambaribind --raw --all* dn: > > uid=ldapbind,cn=users,cn=accounts,dc=example,dc=net uid: ldapbind > > nsaccountlock: FALSE has_password: TRUE has_keytab: FALSE objectClass: > > account objectClass: simplesecurityobject objectClass: top Without bind > > user, i can search the user *[root@example ~]# ldapsearch -x -h > > **ipa.example.net* <http://idm.infodetics.net/>*-p 389 -b > > "cn=ambari,dc=example,dc=net" uid=ambariadmin1* Can any one plz guide me > > where is the issue ? Regards > > There are some inconsistencies in the naming, I assume related to an > attempt at obfuscation, which makes it difficult to spot real issues. > > Otherwise the ldif looks fine. I don't see any reason why the bind would > fail. I'm not aware of any ACI that prevents bind in cn=users for > non-IPA users but as I mentioned, we recommend using cn=sysaccounts per > https://www.freeipa.org/page/HowTo/LDAP > > rob > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
